The data protection legislation in both Guernsey and Jersey prescribe offences of knowingly or recklessly obtaining or disclosing personal data (or the information contained within it) without the consent of the relevant controller. These mirror the offences set out in the UK’s Data Protection Act 2018.

It should be emphasised that a person acting in this manner commits a criminal offence (subject to proving any available defence). This is not a case of civil liability and hoping to rely on professional indemnity insurance to cover the costs of the error. On conviction for this particular offence, perpetrators in Jersey face the imposition of a fine, and those in Guernsey risk a combination of a fine and/or prison sentence of up to two years. Furthermore, where that individual is working in the financial services industry, theft of personal data is likely to be viewed seriously by the GFSC and JFSC when it comes to assessing whether an individual should be regarded as fit and proper.

Nevertheless, it seems that the threat of criminal sanction has not proved to be a sufficient deterrent to certain disgruntled or overly curious employees. Two very recent UK cases (dealt with under the previous regime of the Data Protection Act 1998), resulted in the imposition of fines on employees who unlawfully accessed patient medical records and the personal data of customers of a car dealership.

In Guernsey, February 2019 saw the acquittal of a hospital employee facing prosecution for unlawfully accessing patient records without proper justification, and judicial criticism that the employer did not, apparently, have in place a suitably accessible data protection policy at the relevant time. Whilst the new data protection regimes in both the UK and Guernsey will no doubt have led to changes and improvements in the approaches of the businesses or departments concerned, the actions of employees (whether “rogue” or inadvertent) remain one of the main sources of concern for boards.

Unfortunately for businesses, the ramifications of deliberate breaches by employees do not stop at the point of individual criminal sanction for the perpetrator.

A stark warning lies in the well-publicised case involving the deliberate circulation of employees’ payroll data by a disgruntled internal auditor of the Morrisons supermarket chain. The Court of Appeal in the UK upheld the High Court’s finding that, notwithstanding that the perpetrator’s actions were deliberate and intended to cause harm to Morrisons, the employer was vicariously liable for those actions (and the compensation sought by the employees).

It will be of concern to businesses that the deliberate act of a disgruntled employee can result in the employer shouldering loss claimed by the ultimate victims of the data breach. On policy grounds, it is understandable that the rights of the data subjects are best protected by way of civil redress against a financially stable (and usually insured) business. Whilst the sight of individual perpetrators being prosecuted may bring short term satisfaction for those impacted, there is often no effective redress or compensation available.

All is not lost – businesses can minimise their risk, in the following ways:

1. Regular staff training on data protection policy, including updates and refresher training, ensuring that staff understand and acknowledge their individual obligations and those of the business. Culture is key.

2. Pessimistic security measures limiting access to personal data to staff that require it for a specific and legitimate purpose.

3. Monitoring staff access to personal data held by the business so as to detect any unusual patterns of access or extraction.

4. Regular reviews of personal data inventories held by the business so as to ensure compliance with restrictions on time limits for its retention.

If properly implemented and maintained, the above measures will assist a business to reduce the risk of accidental or deliberate conduct by staff that could result in civil or criminal liabilities. Building a culture of security and trust within an organisation and with customers is vital to maintaining success in today’s digital economy.

Share
Twitter LinkedIn Email Save as PDF
More Publications
22 Jul 2019 |

Catching the Unicorn

The dream investment must surely be the initial funding round of a “tech unicorn” – a technolo...

Contributors: Jeremy Berchem
1 Jul 2019 |

Guernsey Bailiffs Past and Present

It has been confirmed that the Bailiff of Guernsey, Sir Richard Collas, will retire in May 2020 and ...

Contributors: Lisa Upham
28 Jun 2019 |

Internal Investigations - Evidence for the Prosecution

Sophisticated organisations are frequently required to undertake internal investigations. These can ...

Contributors: Anthony Williams
26 Jun 2019 |

Regulatory Headwinds

Faced with increased scrutiny from regulators on both global and jurisdictional levels, businesses m...

Contributors: David Dorgan
19 Jun 2019 |

Beneficial Ownership Update: Crown Dependencies

The Crown Dependencies (Jersey, Guernsey and the Isle of Man) have announced a joint policy commitme...

Contributors: Alison MacKrill, Caren Pegg
4 Jun 2019 |

Trusts: Lessons from Dickens but a modern story

Trusts to benefit beneficiaries are established for many reasons but generally are a way of protecti...

1 Jun 2019 |

A Substantial Undertaking: Thoughts for Trustees

Relevant jurisdictions were required to address the EU Code of Conduct Group’s concerns about ‘e...

30 May 2019 |

Data Protection’s Anniversary Gift

It is traditional for a paper-based item to be presented on a first anniversary, so what better way ...

23 May 2019 |

Data Protection and Cyber Security one year on

Approaching the one year anniversary of Guernsey’s new data protection legislation and the end of ...

Contributors: Richard Sheldon
21 May 2019 |

Royal Court of Jersey Directs the Winding up of an Insolvent Trust

The Royal Court of Jersey has recently handed down an important decision in relation to the winding ...

Contributors: Amy Benest